cli-anything-notebooklm
Warn
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires installing an unverified third-party Python package 'notebooklm-py' from a non-trusted repository to provide core functionality.
- [EXTERNAL_DOWNLOADS]: Installation instructions include downloading and installing the Chromium browser via Playwright, which involves fetching external binaries at runtime.
- [COMMAND_EXECUTION]: The skill's primary function is to execute shell commands (cli-anything-notebooklm) that interface with local system processes and browser sessions.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests untrusted data from external sources (NotebookLM sources, URLs, and generated artifacts) and interpolates them into the agent's context without explicit boundary markers or sanitization documented in the skill.
- Ingestion points: Notebook content, source lists, and chat history fetched via the CLI harness.
- Boundary markers: Absent from the provided instruction set.
- Capability inventory: Capability to list, create, and download content to the local filesystem and interact with authenticated browser sessions.
- Sanitization: No evidence of sanitization or validation of the data retrieved from NotebookLM before processing.
- [CREDENTIALS_UNSAFE]: While the instructions explicitly warn the agent not to expose auth files or cookies in logs, the skill's operation depends on accessing valid local NotebookLM login sessions and cookies, which are sensitive credentials.
Audit Metadata